Date: 2004-03-24 10:48:00
Tags: spam
beating back the demons

I've noticed a significant increase in worm related email traffic over the last couple of days, apparently related to the "netsky" variant this time (though it's getting harder to tell all the different variants apart). Overnight last night I received nearly 400 new worm-related email messages, all of which successfully passed through qgreylist, spamassassin, and some custom filters that worked for mydoom.

In looking at the incoming messages, I noticed something odd about the HELO command that was used. Normally in an SMTP transaction, the first command that the sending mail server sends to the receiver is something like "HELO", which means the sender is responsible for sending messages from This HELO name isn't actually used during the delivery of the messages, but is just sort of a polite introduction.

What I noticed was that in most of these worm messages, the sender was using the command "HELO". This is backwards, it should be using the domain name of the sender, not the recipient. So I can be sure that if the sender uses my domain name in HELO, then it is not a legitimate message. By using the following procmail rule:

* ^Received:.*(HELO

a huge number of worm messages have been caught. In just the last 2.5 hours, 181 messages have been blocked and 33 got through. Of those that got through, virtually all of them are bounce messages from other mail servers, where a message to with my name forged in the From field, was returned to me as undeliverable. These types of messages, since they are sent by legitimate functional mail servers, have correct HELO commands and are not recognized by this filter.

Unfortunately, the latest variants of these email worms no longer seem to have automatic built-in expiration dates (as reported by mcafee or symantec), like the sobig family did. We can therefore expect to be plagued by these for some time to come.

Finally, this would be a good time to remind everybody who is responsible for any email operations to adopt Sender Policy Framework and publish SPF records. Doing so will help reduce the ability for worms to forge email addresses from your domain, and using SPF filtering against incoming messages will help you reject messages with forged From addresses.

You need to help me cowvince Moonwick to install greylisting on LHN :)
I configured postfix to reject any messages that gave my host or IP address on the HELO line. Yeah, I know, it's not RFC compliant, but it catches a couple of dozen messages a day.
Greg Hewgill <>